mirror of
https://github.com/nextcloud/server.git
synced 2026-06-09 08:44:07 -04:00
Merge pull request #4691 from owncloud/encryption_improved_error_messages_4617
Encryption improved error messages
This commit is contained in:
Björn Schießle
commit
5b7f76e702
15 changed files with 108 additions and 50 deletions
|
|
@ -104,8 +104,12 @@ if ($needUpgrade) {
|
|||
$storageInfo=OC_Helper::getStorageInfo($dir);
|
||||
$maxUploadFilesize=OCP\Util::maxUploadFilesize($dir);
|
||||
$publicUploadEnabled = \OC_Appconfig::getValue('core', 'shareapi_allow_public_upload', 'yes');
|
||||
// if the encryption app is disabled, than everything is fine (INIT_SUCCESSFUL status code)
|
||||
$encryptionInitStatus = 2;
|
||||
if (OC_App::isEnabled('files_encryption')) {
|
||||
$publicUploadEnabled = 'no';
|
||||
$session = new \OCA\Encryption\Session(new \OC\Files\View('/'));
|
||||
$encryptionInitStatus = $session->getInitialized();
|
||||
}
|
||||
|
||||
$trashEnabled = \OCP\App::isEnabled('files_trashbin');
|
||||
|
|
@ -113,7 +117,7 @@ if ($needUpgrade) {
|
|||
if ($trashEnabled) {
|
||||
$trashEmpty = \OCA\Files_Trashbin\Trashbin::isEmpty($user);
|
||||
}
|
||||
|
||||
|
||||
OCP\Util::addscript('files', 'fileactions');
|
||||
OCP\Util::addscript('files', 'files');
|
||||
OCP\Util::addscript('files', 'keyboardshortcuts');
|
||||
|
|
@ -133,6 +137,7 @@ if ($needUpgrade) {
|
|||
$tmpl->assign('isPublic', false);
|
||||
$tmpl->assign('publicUploadEnabled', $publicUploadEnabled);
|
||||
$tmpl->assign("encryptedFiles", \OCP\Util::encryptedFiles());
|
||||
$tmpl->assign("encryptionInitStatus", $encryptionInitStatus);
|
||||
$tmpl->assign('disableSharing', false);
|
||||
$tmpl->assign('ajaxLoad', $ajaxLoad);
|
||||
$tmpl->printPage();
|
||||
|
|
|
|||
|
|
@ -63,6 +63,15 @@ Files={
|
|||
}
|
||||
|
||||
var encryptedFiles = $('#encryptedFiles').val();
|
||||
var initStatus = $('#encryptionInitStatus').val();
|
||||
if (initStatus === '0') { // enc not initialized, but should be
|
||||
OC.Notification.show(t('files_encryption', 'Encryption App is enabled but your keys are not initialized, please log-out and log-in again'));
|
||||
return;
|
||||
}
|
||||
if (initStatus === '1') { // encryption tried to init but failed
|
||||
OC.Notification.showHtml(t('files_encryption', 'Invalid private key for Encryption App. Please update your private key password in your personal settings to recover access to your encrypted files.'));
|
||||
return;
|
||||
}
|
||||
if (encryptedFiles === '1') {
|
||||
OC.Notification.show(t('files_encryption', 'Encryption was disabled but your files are still encrypted. Please go to your personal settings to decrypt your files.'));
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -116,3 +116,4 @@
|
|||
<input type="hidden" name="allowZipDownload" id="allowZipDownload" value="<?php p($_['allowZipDownload']); ?>" />
|
||||
<input type="hidden" name="usedSpacePercent" id="usedSpacePercent" value="<?php p($_['usedSpacePercent']); ?>" />
|
||||
<input type="hidden" name="encryptedFiles" id="encryptedFiles" value="<?php $_['encryptedFiles'] ? p('1') : p('0'); ?>" />
|
||||
<input type="hidden" name="encryptedInitStatus" id="encryptionInitStatus" value="<?php p($_['encryptionInitStatus']) ?>" />
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ if ($decryptedKey) {
|
|||
|
||||
// success or failure
|
||||
if ($return) {
|
||||
$session->setInitialized(\OCA\Encryption\Session::INIT_SUCCESSFUL);
|
||||
\OCP\JSON::success(array('data' => array('message' => $l->t('Private key password successfully updated.'))));
|
||||
} else {
|
||||
\OCP\JSON::error(array('data' => array('message' => $l->t('Could not update the private key password. Maybe the old password was not correct.'))));
|
||||
|
|
|
|||
|
|
@ -43,23 +43,6 @@ if (!OC_Config::getValue('maintenance', false)) {
|
|||
if($sessionReady) {
|
||||
$session = new \OCA\Encryption\Session($view);
|
||||
}
|
||||
|
||||
$user = \OCP\USER::getUser();
|
||||
// check if user has a private key
|
||||
if ($sessionReady === false
|
||||
|| (!$view->file_exists('/' . $user . '/files_encryption/' . $user . '.private.key')
|
||||
&& OCA\Encryption\Crypt::mode() === 'server')
|
||||
) {
|
||||
|
||||
// Force the user to log-in again if the encryption key isn't unlocked
|
||||
// (happens when a user is logged in before the encryption app is
|
||||
// enabled)
|
||||
OCP\User::logout();
|
||||
|
||||
header("Location: " . OC::$WEBROOT . '/');
|
||||
|
||||
exit();
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// logout user if we are in maintenance to force re-login
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
0.4
|
||||
0.5
|
||||
|
|
|
|||
|
|
@ -1,23 +1,33 @@
|
|||
<?php
|
||||
|
||||
if (!isset($_)) { //also provide standalone error page
|
||||
require_once __DIR__ . '/../../../lib/base.php';
|
||||
|
||||
$l = OC_L10N::get('files_encryption');
|
||||
|
||||
$errorMsg = $l->t('Your private key is not valid! Likely your password was changed outside the ownCloud system (e.g. your corporate directory). You can update your private key password in your personal settings to recover access to your encrypted files.');
|
||||
if (isset($_GET['i']) && $_GET['i'] === '0') {
|
||||
$errorMsg = $l->t('Encryption app not initialized! Maybe the encryption app was re-enabled during your session. Please try to log out and log back in to initialize the encryption app.');
|
||||
$init = '0';
|
||||
} else {
|
||||
$errorMsg = $l->t('Your private key is not valid! Likely your password was changed outside the ownCloud system (e.g. your corporate directory). You can update your private key password in your personal settings to recover access to your encrypted files.');
|
||||
$init = '1';
|
||||
}
|
||||
|
||||
if(isset($_GET['p']) && $_GET['p'] === '1') {
|
||||
if (isset($_GET['p']) && $_GET['p'] === '1') {
|
||||
header('HTTP/1.0 404 ' . $errorMsg);
|
||||
}
|
||||
|
||||
// check if ajax request
|
||||
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
|
||||
// check if ajax request
|
||||
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
|
||||
\OCP\JSON::error(array('data' => array('message' => $errorMsg)));
|
||||
} else {
|
||||
header('HTTP/1.0 404 ' . $errorMsg);
|
||||
$tmpl = new OC_Template('files_encryption', 'invalid_private_key', 'guest');
|
||||
$tmpl->assign('message', $errorMsg);
|
||||
$tmpl->assign('init', $init);
|
||||
$tmpl->printPage();
|
||||
}
|
||||
|
||||
exit;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -159,7 +159,6 @@ class Hooks {
|
|||
* @param array $params keys: uid, password
|
||||
*/
|
||||
public static function setPassphrase($params) {
|
||||
|
||||
// Only attempt to change passphrase if server-side encryption
|
||||
// is in use (client-side encryption does not have access to
|
||||
// the necessary keys)
|
||||
|
|
@ -543,14 +542,18 @@ class Hooks {
|
|||
}
|
||||
|
||||
/**
|
||||
* set migration status back to '0' so that all new files get encrypted
|
||||
* set migration status and the init status back to '0' so that all new files get encrypted
|
||||
* if the app gets enabled again
|
||||
* @param array $params contains the app ID
|
||||
*/
|
||||
public static function preDisable($params) {
|
||||
if ($params['app'] === 'files_encryption') {
|
||||
$query = \OC_DB::prepare('UPDATE `*PREFIX*encryption` SET `migration_status`=0');
|
||||
$query->execute();
|
||||
|
||||
$setMigrationStatus = \OC_DB::prepare('UPDATE `*PREFIX*encryption` SET `migration_status`=0');
|
||||
$setMigrationStatus->execute();
|
||||
|
||||
$session = new \OCA\Encryption\Session(new \OC\Files\View('/'));
|
||||
$session->setInitialized(\OCA\Encryption\Session::NOT_INITIALIZED);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -199,12 +199,12 @@ class Helper {
|
|||
public static function stripUserFilesPath($path) {
|
||||
$trimmed = ltrim($path, '/');
|
||||
$split = explode('/', $trimmed);
|
||||
|
||||
|
||||
// it is not a file relative to data/user/files
|
||||
if (count($split) < 3 || $split[1] !== 'files') {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
$sliced = array_slice($split, 2);
|
||||
$relPath = implode('/', $sliced);
|
||||
|
||||
|
|
@ -219,30 +219,33 @@ class Helper {
|
|||
public static function getPathToRealFile($path) {
|
||||
$trimmed = ltrim($path, '/');
|
||||
$split = explode('/', $trimmed);
|
||||
|
||||
|
||||
if (count($split) < 3 || $split[1] !== "files_versions") {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
$sliced = array_slice($split, 2);
|
||||
$realPath = implode('/', $sliced);
|
||||
//remove the last .v
|
||||
$realPath = substr($realPath, 0, strrpos($realPath, '.v'));
|
||||
|
||||
return $realPath;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief redirect to a error page
|
||||
*/
|
||||
public static function redirectToErrorPage() {
|
||||
public static function redirectToErrorPage($session) {
|
||||
|
||||
$init = $session->getInitialized();
|
||||
|
||||
$location = \OC_Helper::linkToAbsolute('apps/files_encryption/files', 'error.php');
|
||||
$post = 0;
|
||||
if(count($_POST) > 0) {
|
||||
$post = 1;
|
||||
}
|
||||
header('Location: ' . $location . '?p=' . $post);
|
||||
exit();
|
||||
}
|
||||
header('Location: ' . $location . '?p=' . $post . '&i=' . $init);
|
||||
exit();
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -259,7 +262,7 @@ class Helper {
|
|||
|
||||
return (bool) $result;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* check some common errors if the server isn't configured properly for encryption
|
||||
* @return bool true if configuration seems to be OK
|
||||
|
|
|
|||
|
|
@ -30,6 +30,11 @@ class Session {
|
|||
|
||||
private $view;
|
||||
|
||||
const NOT_INITIALIZED = '0';
|
||||
const INIT_EXECUTED = '1';
|
||||
const INIT_SUCCESSFUL = '2';
|
||||
|
||||
|
||||
/**
|
||||
* @brief if session is started, check if ownCloud key pair is set up, if not create it
|
||||
* @param \OC_FilesystemView $view
|
||||
|
|
@ -112,6 +117,36 @@ class Session {
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Sets status of encryption app
|
||||
* @param string $init INIT_SUCCESSFUL, INIT_EXECUTED, NOT_INOITIALIZED
|
||||
* @return bool
|
||||
*
|
||||
* @note this doesn not indicate of the init was successful, we just remeber the try!
|
||||
*/
|
||||
public function setInitialized($init) {
|
||||
|
||||
\OC::$session->set('encryptionInitialized', $init);
|
||||
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @brief Gets status if we already tried to initialize the encryption app
|
||||
* @returns init status INIT_SUCCESSFUL, INIT_EXECUTED, NOT_INOITIALIZED
|
||||
*
|
||||
* @note this doesn not indicate of the init was successful, we just remeber the try!
|
||||
*/
|
||||
public function getInitialized() {
|
||||
if (!is_null(\OC::$session->get('encryptionInitialized'))) {
|
||||
return \OC::$session->get('encryptionInitialized');
|
||||
} else {
|
||||
return self::NOT_INITIALIZED;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Gets user or public share private key from session
|
||||
* @returns string $privateKey The user's plaintext private key
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ class Stream {
|
|||
|
||||
if($this->privateKey === false) {
|
||||
// if private key is not valid redirect user to a error page
|
||||
\OCA\Encryption\Helper::redirectToErrorPage();
|
||||
\OCA\Encryption\Helper::redirectToErrorPage($this->session);
|
||||
}
|
||||
|
||||
$this->size = $this->rootView->filesize($this->rawPath, $mode);
|
||||
|
|
|
|||
|
|
@ -37,7 +37,6 @@ class Util {
|
|||
const MIGRATION_IN_PROGRESS = -1; // migration is running
|
||||
const MIGRATION_OPEN = 0; // user still needs to be migrated
|
||||
|
||||
|
||||
private $view; // OC_FilesystemView object for filesystem operations
|
||||
private $userId; // ID of the currently logged-in user
|
||||
private $client; // Client side encryption mode flag
|
||||
|
|
@ -1752,6 +1751,11 @@ class Util {
|
|||
*/
|
||||
public function initEncryption($params) {
|
||||
|
||||
$session = new \OCA\Encryption\Session($this->view);
|
||||
|
||||
// we tried to initialize the encryption app for this session
|
||||
$session->setInitialized(\OCA\Encryption\Session::INIT_EXECUTED);
|
||||
|
||||
$encryptedKey = Keymanager::getPrivateKey($this->view, $params['uid']);
|
||||
|
||||
$privateKey = Crypt::decryptPrivateKey($encryptedKey, $params['password']);
|
||||
|
|
@ -1762,9 +1766,8 @@ class Util {
|
|||
return false;
|
||||
}
|
||||
|
||||
$session = new \OCA\Encryption\Session($this->view);
|
||||
|
||||
$session->setPrivateKey($privateKey);
|
||||
$session->setInitialized(\OCA\Encryption\Session::INIT_SUCCESSFUL);
|
||||
|
||||
return $session;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,7 +16,9 @@ $view = new \OC_FilesystemView('/');
|
|||
$util = new \OCA\Encryption\Util($view, $user);
|
||||
$session = new \OCA\Encryption\Session($view);
|
||||
|
||||
$privateKeySet = $session->getPrivateKey() !== false;
|
||||
$privateKeySet = $session->getPrivateKey() !== false;
|
||||
// did we tried to initialize the keys for this session?
|
||||
$initialized = $session->getInitialized();
|
||||
|
||||
$recoveryAdminEnabled = OC_Appconfig::getValue('files_encryption', 'recoveryAdminEnabled');
|
||||
$recoveryEnabledForUser = $util->recoveryEnabledForUser();
|
||||
|
|
@ -31,6 +33,7 @@ if ($recoveryAdminEnabled || !$privateKeySet) {
|
|||
$tmpl->assign('recoveryEnabled', $recoveryAdminEnabled);
|
||||
$tmpl->assign('recoveryEnabledForUser', $recoveryEnabledForUser);
|
||||
$tmpl->assign('privateKeySet', $privateKeySet);
|
||||
$tmpl->assign('initialized', $initialized);
|
||||
|
||||
$result = $tmpl->fetchPage();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,9 +2,11 @@
|
|||
<li class='error'>
|
||||
<?php $location = \OC_Helper::linkToRoute( "settings_personal" ).'#changePKPasswd' ?>
|
||||
|
||||
<?php p($l->t('Your private key is not valid! Maybe the your password was changed from outside.')); ?>
|
||||
<?php p($_['message']); ?>
|
||||
<br/>
|
||||
<?php p($l->t('You can unlock your private key in your ')); ?> <a href="<?php echo $location?>"><?php p($l->t('personal settings')); ?>.</a>
|
||||
<?php if($_['init']): ?>
|
||||
<?php>p($l->t('Go directly to your ')); ?> <a href="<?php echo $location?>"><?php p($l->t('personal settings')); ?>.</a>
|
||||
<?php endif; ?>
|
||||
<br/>
|
||||
</li>
|
||||
</ul>
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
<?php p( $l->t( 'Encryption' ) ); ?>
|
||||
</legend>
|
||||
|
||||
<?php if ( ! $_["privateKeySet"] ): ?>
|
||||
<?php if ( ! $_["privateKeySet"] && $_["initialized"] ): ?>
|
||||
<p>
|
||||
<a name="changePKPasswd" />
|
||||
<label for="changePrivateKeyPasswd">
|
||||
|
|
@ -39,22 +39,22 @@
|
|||
<?php endif; ?>
|
||||
|
||||
<br />
|
||||
|
||||
|
||||
<?php if ( $_["recoveryEnabled"] && $_["privateKeySet"] ): ?>
|
||||
<p>
|
||||
<label for="userEnableRecovery"><?php p( $l->t( "Enable password recovery:" ) ); ?></label>
|
||||
<br />
|
||||
<em><?php p( $l->t( "Enabling this option will allow you to reobtain access to your encrypted files in case of password loss" ) ); ?></em>
|
||||
<br />
|
||||
<input
|
||||
<input
|
||||
type='radio'
|
||||
name='userEnableRecovery'
|
||||
value='1'
|
||||
<?php echo ( $_["recoveryEnabledForUser"] == 1 ? 'checked="checked"' : '' ); ?> />
|
||||
<?php p( $l->t( "Enabled" ) ); ?>
|
||||
<br />
|
||||
|
||||
<input
|
||||
|
||||
<input
|
||||
type='radio'
|
||||
name='userEnableRecovery'
|
||||
value='0'
|
||||
|
|
|
|||
Loading…
Reference in a new issue